Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-08-2004, 06:15 AM
|
#1
|
Senior Member
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736
Rep:
|
very strange dmesg output
this is the output I get from dmesg
what does it mean?
3.38.113.3 DST=62.30.238.191 LEN=85 TOS=0x00 PREC=0x00 TTL=246 ID=14519 DF PROTO=UDP SPT=53 DPT=1066 LEN=65
DROPPED IN=ppp0 OUT= MAC= SRC=194.117.157.4 DST=62.30.238.191 LEN=105 TOS=0x00 PREC=0x00 TTL=251 ID=65238 DF PROTO=UDP SPT=53 DPT=1059 LEN=85
DROPPED IN=ppp0 OUT= MAC= SRC=193.38.113.3 DST=62.30.238.191 LEN=105 TOS=0x00 PREC=0x00 TTL=246 ID=14520 DF PROTO=UDP SPT=53 DPT=1067 LEN=85
DROPPED IN=ppp0 OUT= MAC= SRC=193.38.113.3 DST=62.30.238.191 LEN=85 TOS=0x00 PREC=0x00 TTL=246 ID=14521 DF PROTO=UDP SPT=53 DPT=1062 LEN=65
DROPPED IN=ppp0 OUT= MAC= SRC=50.26.183.44 DST=62.30.238.191 LEN=438 TOS=0x00 PREC=0x00 TTL=78 ID=63642 DF PROTO=UDP SPT=53 DPT=1026 LEN=418
DROPPED IN=ppp0 OUT= MAC= SRC=216.239.37.147 DST=62.30.238.191 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=64926 PROTO=TCP SPT=80 DPT=1037 SEQ=2538350621 ACK=4238546219 WINDOW=9300 RES=0x00 RST URGP=0
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48371 DF PROTO=TCP SPT=64918 DPT=2593 SEQ=481439646 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48499 DF PROTO=TCP SPT=64918 DPT=2593 SEQ=481439646 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48708 DF PROTO=TCP SPT=64918 DPT=2593 SEQ=481439646 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.187.244.186 DST=62.30.238.191 LEN=46 TOS=0x00 PREC=0x00 TTL=52 ID=61833 PROTO=UDP SPT=33028 DPT=7818 LEN=26
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15747 DF PROTO=TCP SPT=2700 DPT=2593 SEQ=1820081754 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15752 DF PROTO=TCP SPT=2700 DPT=2593 SEQ=1820081754 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15757 DF PROTO=TCP SPT=2700 DPT=2593 SEQ=1820081754 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.255.26 DST=62.30.238.191 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52962 DF PROTO=TCP SPT=57962 DPT=2593 SEQ=2861498673 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0FDBCFD30000000001030300)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.255.26 DST=62.30.238.191 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52963 DF PROTO=TCP SPT=57962 DPT=2593 SEQ=2861498673 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0FDBD0FF0000000001030300)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.255.26 DST=62.30.238.191 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52964 DF PROTO=TCP SPT=57962 DPT=2593 SEQ=2861498673 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0FDBD3570000000001030300)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.254.67 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56336 DF PROTO=TCP SPT=3522 DPT=2593 SEQ=304643934 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.254.67 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56381 DF PROTO=TCP SPT=3522 DPT=2593 SEQ=304643934 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.254.67 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56485 DF PROTO=TCP SPT=3522 DPT=2593 SEQ=304643934 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=216.239.59.104 DST=62.30.238.191 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=5345 PROTO=TCP SPT=80 DPT=1040 SEQ=2485671909 ACK=54199685 WINDOW=9300 RES=0x00 RST URGP=0
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16063 DF PROTO=TCP SPT=2752 DPT=2593 SEQ=1870094582 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16066 DF PROTO=TCP SPT=2752 DPT=2593 SEQ=1870094582 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16070 DF PROTO=TCP SPT=2752 DPT=2593 SEQ=1870094582 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=61475 DF PROTO=TCP SPT=65235 DPT=2593 SEQ=634750401 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=61550 DF PROTO=TCP SPT=65235 DPT=2593 SEQ=634750401 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=61681 DF PROTO=TCP SPT=65235 DPT=2593 SEQ=634750401 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=199.71.38.213 DST=62.30.238.191 LEN=681 TOS=0x00 PREC=0x00 TTL=112 ID=10789 PROTO=UDP SPT=20164 DPT=1026 LEN=661
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16263 DF PROTO=TCP SPT=2793 DPT=2593 SEQ=1925532333 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16266 DF PROTO=TCP SPT=2793 DPT=2593 SEQ=1925532333 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
it goes on and on like this for ages
I had to cut some out to allow this to be posted
OPT
martian source 213.48.36.32 from 127.0.0.1, on dev ppp0
ll header: 45:00:00:28
martian source 213.48.36.32 from 127.0.0.1, on dev ppp0
ll header: 45:00:00:28
DROPPED IN=ppp0 OUT= MAC= SRC=64.156.39.12 DST=213.48.36.32 LEN=574 TOS=0x00 PREC=0x00 TTL=116 ID=38526 PROTO=UDP SPT=666 DPT=1026 LEN=554
martian source 213.48.36.32 from 127.0.0.1, on dev ppp0
ll header: 45:00:00:28
DROPPED IN=ppp0 OUT= MAC= SRC=146.145.104.180 DST=213.48.36.32 LEN=60 TOS=0x00 PREC=0x00 TTL=113 ID=22776 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=54316
|
|
|
04-08-2004, 06:21 AM
|
#2
|
Member
Registered: Jul 2003
Location: netherlands
Distribution: debian
Posts: 403
Rep:
|
somehow the dmesg shows some IP traffic information... do you notify anything strange at boot time? did you do / install / configure something special with your network?
greetz,
-= iluvatar =-
Last edited by iluvatar; 04-08-2004 at 06:24 AM.
|
|
|
04-08-2004, 06:33 AM
|
#3
|
Senior Member
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736
Original Poster
Rep:
|
no
boot is normal
no special events at boot time
just a normal, stand alone machine
|
|
|
04-08-2004, 06:34 AM
|
#4
|
Member
Registered: Jul 2003
Location: netherlands
Distribution: debian
Posts: 403
Rep:
|
hmm analyzing the log take a look at these rows:
Quote:
DROPPED IN=ppp0 OUT= MAC= SRC=216.239.37.147 DST=62.30.238.191 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=64926 PROTO=TCP SPT=80 DPT=1037 SEQ=2538350621 ACK=4238546219 WINDOW=9300 RES=0x00 RST URGP=0
|
this means there's an incoming packet from 216.239.37.147 (this seems to be google), the source port is 80 (http) wich is the web server port (looks allright). the destination IP is 62.30.238.191, wich must be yours. the protocol is TCP ofcourse
blablabla etc anyway, it's nothing to worry about, exept for the fact this shouldn't be in your dmesg output (as far as I know). how this is possible I don't know...
greetz,
-= iluvatar =-
ps: nothing wrong, exept the packet is dropped you don't use the internet on that machine? or: can you use it?
|
|
|
04-08-2004, 06:47 AM
|
#5
|
Senior Member
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736
Original Poster
Rep:
|
yes I use the internet on it
I have gaurddog installed
could that be it?
maybe gaurddog is dumping it's log into dmesg? (just guessing here)
i noticed this dmesg behaviour first in mandrake 10 (different from 9.2)
|
|
|
04-08-2004, 07:11 AM
|
#6
|
Member
Registered: Jul 2003
Location: netherlands
Distribution: debian
Posts: 403
Rep:
|
here I am again... I took a look at the website of guarddog, noticed this:
Quote:
The Log aborted TCP connections (half open scans) check box controls whether TCP connections that are forcefully terminated using a RST packet are logged. A port scanning technique know as "half-open" scanning uses RST packets to quickly abort an half open TCP connection in order to avoid detection. This can be done using nmap's -sS option. By turning this option on you can detect and log when this happens. Unfortunately many web servers like to quickly terminate connections by using a RST packet. This can produce quite a lot of unwanted noise in your system logs. Therefore you may want to turn this option off. Also, this option only has effect when the firewall is used on a Linux kernel 2.4 machine in combination with iptables.
|
and most of all, this sentence:
Quote:
Unfortunately many web servers like to quickly terminate connections by using a RST packet. This can produce quite a lot of unwanted noise in your system logs.
|
so webpages you visit use this type of packet to terminate the connection, wich is actually not the way according to the RFC i guess. thats why it comes up in your log. I also read on the site that guarddog dumps its log to the syslog. maybe syslog can be configured to store the guarddog messages to another file, but I haven't completed reading the man-pages
succes,
-= iluvatar =-
|
|
|
04-08-2004, 12:34 PM
|
#7
|
Senior Member
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736
Original Poster
Rep:
|
ok
i turned off all logging from guarddog and dmesg now reads ok
many thanks for your help
|
|
|
All times are GMT -5. The time now is 02:28 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|